The term “malware” is short for malicious software and is used to refer to any software designed to infiltrate or damage a computer system without the owners informed consent. Malware can include viruses, worms, trojan horses, rootkits, adware, spyware and any other malicious and unwanted software. Many computer devices, such as desktop personal computers (PCs), laptops, personal data assistants (PDAs) and mobile phones can be at risk from malware. Computer systems running the Windows™ operating system are particularly at risk from malware, but all operating systems will be at some risk. Examples of other operating systems that could be at risk are Mac OS™, Linux™, Android™, iOS™, Windows Mobile™, and Blackberry OS™.
Computer users will typically run antivirus (AV) and/or internet security (IS) software applications, for example F-Secure's™ Anti-Virus and Internet Security applications, to detect malware and protect against malware attacks on their computer system. Detecting malware is challenging, as malware is usually designed to be difficult to detect, often employing technologies that deliberately hide the presence and processes of malware on a system. Consequently, anti-virus and internet security applications will use a large number of techniques in order to detect malware effectively, and reduce the risk of any malware going undetected.
A common method of detecting malware is to use code analysis. A database of “signatures” is accessible by the AV and/or IS software that contains signatures which are representative of code/features typically found in malware, or known to be found in a specific instance of malware. During scanning of a system, if code is found that matches one of the signatures in the database, then it can be flagged as suspicious, or flagged as malware as appropriate, and the appropriate course of action to quarantine and/or remove the malware from the system can be taken.
Unfortunately, due to the large amount and constantly evolving nature of malware that is created to attack computer systems (for example using obfuscation techniques), these methods of detecting malware using signatures are not completely effective in identifying all malware threats. In addition, signature based detection is not at all effective against “zero-day attacks”, e.g. an attack that exploits a previously unknown vulnerability in a computer application, so at the time the attack is made there is no awareness of the vulnerability, or that employs obfuscated code that bears little resemblance to known code. In order to effectively protect against zero day attacks, heuristic methods are used to try and detect suspicious behaviour that might be indicative of malware. Again, as explained above, it is best to use a variety of heuristic methods concurrently to provide the highest level of protection.
Sophisticated malware may attempt to remain undetected by not running as a separate process but by running its code as part of a system process. One example of a Windows system process that is often “hijacked” in this way is explorer.exe. System process hijacking is of particular concern to likely targets for cyber attacks such as important computer systems containing sensitive information, or individual processes such as a web browser for home computer users that is used for accessing online banking services.
For these reasons, it is important that anti-virus products and/or system forensic tools that detect malware infections use techniques that can detect suspicious code that is running on a system without having to know the details of the code.
As already mentioned, AV and IS applications utilise a number of detection methods when scanning for malware. There is of course always a need to add further detection methods, and in particular methods that can help to defeat zero day attacks.